Image: Jefferson Santos (unsplash)
The Chaes malware has made a resurgence with an enhanced variant. This new iteration incorporates a specialized version of the Google DevTools protocol, granting it direct access to browser functionalities of affected individuals. This new avenue permits it to unlawfully gather information via WebSockets.
This malware was initially detected in November 2020, taking aim at e-commerce customers across Latin America. By the end of 2021, it had dramatically expanded its operations, as evidenced by Avast’s discovery of its distribution through 800 infiltrated WordPress websites.
Once a system is infected, Chaes implants malevolent extensions into the Chrome browser of its host. This allows the malware to maintain its presence, capture screenshots, extract saved passwords and credit card details, siphon cookies, and snatch online banking credentials.
Morphisec spotted the recent Chaes variant in January 2023. This version showed a keen interest in platforms including Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, MetaMask, and several CMS platforms, notably WordPress and Joomla.
The current campaign’s infection methodology mirrors past strategies, entailing misleading MSI installers. These launch a complex, multi-phase infection process, which utilizes seven unique modules to execute a range of actions.
The latest iteration of Chaes exhibits advancements in several areas, amplifying the stealth and efficiency of the malware.
In their analysis, Morphisec points out the key modifications in this Chaes version:
- Comprehensive code revamp.
- Added layers of encryption paired with enhanced covert techniques.
- A shift to Python for decryption and in-situ execution.
- Supplanting ‘Puppeteer’ with Chrome DevTools for tracking Chromium browser activities.
- Widening the net of services targeted for credential theft.
- Opting for WebSockets for inter-module malware communication and the C2 server, sidelining HTTP.
- Rolling out DGA (domain generation algorithm) for dynamic C2 server address determination.
Morphisec elucidates, “Rather than passively waiting for the user to access the targeted service, this module proactively engages with the service’s website, extracting the pertinent data – all facilitated by Google’s DevTools Protocol.”
The malware methodically undergoes this procedure for every URL pre-set in the stealer module for data exfiltration.
All interactions between the C2 and the malware are formatted in JSON, encoded in base64, and encrypted using AES, as detailed by Morphisec.
The distinct feature of Chaes, utilizing a tailored version of Google Chrome’s DevTools protocol, marks it as an audacious malware, emphasizing its invasive attributes.
Moreover, Morphisec has identified numerous indicators that the modules of this malware are under continual refinement. This suggests a potential enhancement and expansion of their functionalities in the near future.